[Snort-sigs] TCP sweeps

James Riden j.riden at ...1766...
Mon Dec 13 11:33:03 EST 2004


eltra1n <larry.wichman at ...2420...> writes:

> I had a user log on to my remote access VPN, the users machine was
> doing TCP-sweeps on port 445 and I think it may have been infected
> with MS Blaster. Does anyone have a suggestion on how I can detect
> this type of traffic with Snort. I am thinking of writing a sig that
> looks for port 445 traffic and setting a very high threshold, it would
> be nice to to re-invent the wheel though. Thanks in advance.

Blaster, the original, does not use 445/tcp for propagation, it uses
135/tcp. 
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

I'm using standard and bleeding snort sigs, and a script to tail
portscan.log - let me know if you'd like a copy.

Later worms such as Korgo and Sasser do use 445/tcp - and also scan a
lot more aggressively than Blaster did - and also trojans such as the
RxBot variants.

(Bleedingsnort.com has good rules for Lsasrv.dll exploits, IRC traffic
from trojans and Korgo.P executable transfers.)

What's in portscan.log if you grep for the problem IP address?

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list